Experience of Incorporating NIST Standards in a Digital Forensics Curricula* Sankardas Roy Computer Science Department BGSU Ohio, USA [email protected] Yan Wu Computer Science Department BGSU Ohio, USA [email protected] Kristina N. LaVenia Leadership Studies Department BGSU Ohio, USA [email protected] Abstract—Recently, Bowling Green State University (BGSU) has started to offer a Digital Forensics specialization program for Computer Science undergraduate students. We (the authors of this paper) actively took part in developing and evaluating the curricula for this program. The overarching goal of the specialization program is to build a digital forensics workforce for the state and the nation. Realizing the importance of standards of digital forensics tools in real-life forensic examinations, we made an effort to incorporate lessons on standardization in the curricula. In particular, so far we incorporated National Institute of Standards and Technology (NIST) standards for three digital forensics topics (Hardware Write Blocker, Deleted File Recovery, and Mobile Forensics) in the curricula. We faced many challenges over the journey but also attained some success. In this paper we share our experience to the community. We believe this account may be helpful to others who are about to begin such a journey. Index Terms—Digital Forensics (DF), curricula development, NIST standards, Computer Forensics Tool Testing (CFTT), Hardware Write Blocker (HWB), Deleted File Recovery (DFR), Smart Phone Forensics. I. I NTRODUCTION FISMA (Federal Information Security Management Act) 2002 is a US federal law in which the importance of in- formation security was recognized and promoted. Around FISMA, a variety of standards documents are created and disseminated by NIST (National Institute of Standards and Technology) to guide everyday IT activities. Among them, NIST Cybersecurity Framework released in early 2014 has motivated industry to adopt security standards. It is critical that security professionals are prepared with the skill sets needed for tomorrow’s workforce. Information security and digital forensics are two such areas in which security professionals should be trained. These areas have much in common: the information security covers live prevention of attacks, while digital forensics covers post- mortem mechanisms. Digital forensics is used in government, *This work was partially supported by the US National Institute of Standards and Technology (NIST) under the grant number #70NANB17H321. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the above agency. industry, and law enforcement to help us investigate computer systems and data in order to analyze and present information for criminal cases. Digital forensics also helps in determining how unauthorized users hacked into a system and in gathering related information. The (Ohio) State Attorney General’s Center for the Future of Forensic Science on the BGSU campus offers forensics science specialization programs in a couple of areas (Biol- ogy, Chemistry, and more). Considering the omnipresence of electronic devices (computer, mobile phones, and the likes) in our daily life, a specialization program in Digital Forensics (DF) would naturally complement other programs in forensics science. The Computer Science (CS) department at BGSU has recently developed a DF specialization program, which was planned to start from the fall semester of 2017. Wu and Roy were actively involved in the planning of the digital forensics curricula and the digital forensics lab from the very beginning. Wu and Roy have received a NIST award in 2017 Septem- ber, which is about incorporating NIST CFTT (Computer Forensics Tool Testing) standards in BGSU digital forensics curricula. One main goal of the project is to identify the key areas of digital forensics program, which are most important to be standardized, and wherever applicable, to develop lecture slides, case studies and modularized lab (i.e., hands-on activ- ity) materials. The project focuses on three particular digital forensics topics, namely Hardware Write Blocker, Deleted File Recovery, and Mobile Forensics. Lavenia (who is a specialist educator) has joined the project as the evaluator of the developed curricula. Finally, in 2018 Fall, the BGSU CS department has started offering a Digital Forensics Specialization program for stu- dents with CS major. As part of this program, in 2018 Fall, Roy has taught course CS4320: Computer and Mobile Foren- sics, whereas Wu has taught course CS3320: Introduction to Computer Security. In these courses, Roy and Wu have implemented and used the “standards education” modules mentioned above. Lavenia has designed specialized surveys for students in both the courses to measure students’ self-efficacy. We as a team have also designed surveys to measure students’ advancement in technical knowledge about standards. In sum- mary, the data shows students have made some progress when they completed the courses. 978-1-7281-2827-6/19/$31.00 ©2019 IEEE
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Experience of Incorporating NIST Standards in a Digital Forensics
Curricula*
Sankardas Roy Computer Science Department
BGSU Ohio, USA
BGSU Ohio, USA
BGSU Ohio, USA
[email protected]
Abstract—Recently, Bowling Green State University (BGSU) has started to offer a Digital Forensics specialization program for Computer Science undergraduate students. We (the authors of this paper) actively took part in developing and evaluating the curricula for this program. The overarching goal of the specialization program is to build a digital forensics workforce for the state and the nation. Realizing the importance of standards of digital forensics tools in real-life forensic examinations, we made an effort to incorporate lessons on standardization in the curricula. In particular, so far we incorporated National Institute of Standards and Technology (NIST) standards for three digital forensics topics (Hardware Write Blocker, Deleted File Recovery, and Mobile Forensics) in the curricula. We faced many challenges over the journey but also attained some success. In this paper we share our experience to the community. We believe this account may be helpful to others who are about to begin such a journey.
Index Terms—Digital Forensics (DF), curricula development, NIST standards, Computer Forensics Tool Testing (CFTT), Hardware Write Blocker (HWB), Deleted File Recovery (DFR), Smart Phone Forensics.
I. INTRODUCTION
FISMA (Federal Information Security Management Act) 2002 is a US federal law in which the importance of in- formation security was recognized and promoted. Around FISMA, a variety of standards documents are created and disseminated by NIST (National Institute of Standards and Technology) to guide everyday IT activities. Among them, NIST Cybersecurity Framework released in early 2014 has motivated industry to adopt security standards. It is critical that security professionals are prepared with the skill sets needed for tomorrow’s workforce.
Information security and digital forensics are two such areas in which security professionals should be trained. These areas have much in common: the information security covers live prevention of attacks, while digital forensics covers post- mortem mechanisms. Digital forensics is used in government,
*This work was partially supported by the US National Institute of Standards and Technology (NIST) under the grant number #70NANB17H321. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the above agency.
industry, and law enforcement to help us investigate computer systems and data in order to analyze and present information for criminal cases. Digital forensics also helps in determining how unauthorized users hacked into a system and in gathering related information.
The (Ohio) State Attorney General’s Center for the Future of Forensic Science on the BGSU campus offers forensics science specialization programs in a couple of areas (Biol- ogy, Chemistry, and more). Considering the omnipresence of electronic devices (computer, mobile phones, and the likes) in our daily life, a specialization program in Digital Forensics (DF) would naturally complement other programs in forensics science. The Computer Science (CS) department at BGSU has recently developed a DF specialization program, which was planned to start from the fall semester of 2017. Wu and Roy were actively involved in the planning of the digital forensics curricula and the digital forensics lab from the very beginning.
Wu and Roy have received a NIST award in 2017 Septem- ber, which is about incorporating NIST CFTT (Computer Forensics Tool Testing) standards in BGSU digital forensics curricula. One main goal of the project is to identify the key areas of digital forensics program, which are most important to be standardized, and wherever applicable, to develop lecture slides, case studies and modularized lab (i.e., hands-on activ- ity) materials. The project focuses on three particular digital forensics topics, namely Hardware Write Blocker, Deleted File Recovery, and Mobile Forensics. Lavenia (who is a specialist educator) has joined the project as the evaluator of the developed curricula.
Finally, in 2018 Fall, the BGSU CS department has started offering a Digital Forensics Specialization program for stu- dents with CS major. As part of this program, in 2018 Fall, Roy has taught course CS4320: Computer and Mobile Foren- sics, whereas Wu has taught course CS3320: Introduction to Computer Security. In these courses, Roy and Wu have implemented and used the “standards education” modules mentioned above. Lavenia has designed specialized surveys for students in both the courses to measure students’ self-efficacy. We as a team have also designed surveys to measure students’ advancement in technical knowledge about standards. In sum- mary, the data shows students have made some progress when they completed the courses.978-1-7281-2827-6/19/$31.00 ©2019 IEEE
In this paper we share our experience on the aforementioned front with the community, which may help others who will take a similar endeavor in the future.
II. BACKGROUND
A. Digital Forensics Specialization Program at BGSU
Since Fall of 2018 the BGSU CS department has started dig- ital forensics specialization to fulfill the emerging requirements for Cybersecurity/Digital Forensics experts. The requirements of this specialization include 12 credit hours of courses, which are CS 3210: Introduction to Software Security OR CS 3320:Introduction to Computer Security, CS 4320: Computer and Mobile Forensics, CS 4330: Network Security and Foren- sics, and CRJU 4400: Law, Evidence Procedures in Forensic Science. CS 3210 involves the introduction to software secu- rity and secure programming guidelines, basic security issues of programming languages, C and C++, and secure coding. As entrance courses and prerequisite to the other two DF courses, CS 3320 involves the fundamental knowledge in computer security such as confidentiality, integrity and availability; Basic security mechanisms such as access control, authentication, cryptography and software security; Overview of data logs audit and analysis; Introduction to spyware and malware. CS 4320 introduces computer forensic procedures: identification and collection of potential evidence; reverse engineering; analysis and reporting. Hands-on experience with forensics tools. Forensic mechanisms for mobile devices. Analysis of synthetic and real datasets. CS 4330 provides a comprehensive understanding of network forensics analysis principles, helps students learn to identify network security incidents and po- tential sources of digital evidence and demonstrate the ability to perform basic network data acquisition and analysis using computer-based applications and utilities. CRJU 4400 provides an overview and examination of the legal aspects of physical evidence including rules of evidence, procedural rules, and the role of expert witnesses. Overall, this DF specialization is designed to provide Computer Science students necessary knowledge and tools from both practical Digital Forensics courses and relevant law regulations.
In the meantime we are planning for a Digital Forensics lab. Supported by Arts and Sciences college, Department of Computer Science was given a dedicated lab space and neces- sary equipment to supplement the designed Digital Forensics curricula. The DF lab will have 30 personal computers, nec- essary networking equipment, basic digital forensic hardware, and a set of software tools to fulfill the needs of the designed DF courses.
B. NIST CFTT standards for digital forensics tools
NIST’s CFTT division has set standards for digital forensics tools. The goal of CFTT project is to “establish a methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware.” They expect to provide the interesting information for toolmakers, users, or for any interested parties with various goals [1]. Other than the CFTT downloadable
testing environment, they also provide Computer Forensic Reference Data Sets (CFReDS) as a repository of images for investigation, training, and testing purposes.
Our NIST grant supports us on developing the DF curricula and incorporate NIST DF standards into them, in the form of lecture, hands-on labs and exercises. We will introduce the details of the curricula and evaluation data in the following sections.
III. BUILDING THE DIGITAL FORENSICS CURRICULA
Below we report on our efforts to incorporating standards education in BGSU curricula of cybersecurity and digital forensics. In particular, we have incorporated NIST standards in three modules of the digital forensics curricula as follows.
A. Hardware Write Blocker (HWB)
Typically, HWB works as a bridge between the host com- puter and the storage disk. It prevents “write” commands (which may modify data/evidence) from reaching the storage disk but allows information on the disk to flow to the forensic tool (or the OS) on the host computer.
1) Pre-course Plan: One main goal is to make students familiar with NIST’s Hardware Write Blocker Device (HWB) Specification [2]. This document lists four categories of com- mands (to access a storage device), such as modifying, read, information, and other non-modifying. These commands can originate from the host computer via the BIOS, operating system, file system operations or the forensic tool in use. The minimum requirement for a HWB is to ensure that no modifying command can pass through. It is essential for the students to learn how to evaluate a HWB device conforming to the standards.
2) Implementation: For the sake of concreteness, below we present details of one sample lab exercise in the HWB module and we also list the tools/supports that are needed to run this lab.
Tools/supports needed: (i) NIST CFTT Federated Testing Linux system. This bootable system can be freely downloaded from the CFTT portal.(ii) HWB devices. We bought 9 counts of this device whose price was about 400$ each; (iii) Hard disks. We bought 30 counts of hard disks whose average price was about 30$. (iv) Host computers: We already have regular desktop computers in the labs on which students run the VM using VirtualBox. An example setup of the HWB device (which is under evaluation) is illustrated in Figure 1.
A sample lab exercise: The students are assigned the following tasks (derived from Federated Testing instructions).
Task 1: Use the Federated Testing ISO file to start a VM on VirtualBox on a desktop computer.
Task 2: On the welcome page of Federated Testing Forensic Tool Testing Environment, click on “Test a hardware write block tool”. Then, walk over the following steps to test a HWB. (a) Go to “Hardware Write Block Home” page and click on “ Get Started”. (b) Insert one flash drive to computer which you will use as Log Drive for this test. (c) Follow the instruction to mount the Log Drive. (d) Go to “Generate test
Fig. 1. The lab setup: The HWB device (which is under evaluation) is placed in the middle of the hard disk (which is under protection) and the host computer (running NIST CFTT Federated Testing System).
cases and start testing”. (e) Select a hardware write block type. Choose the “hard drive” option. (f) Describe the write blocker. Put in detailed information on manufacturer and model name, and so on. Select the drive type as SATA. Choose USB3 as the type of connection between test computer and HWB. (g) Select the FT-HWB-SATA option and ‘Run test case’. Get results. (h) Generate a test report; a test report copy will be written in the Log Drive. (i) Open the test report in a Windows computer, and copy the content of the report to a new word document. (j) Go to the log file in the Log Drive (something like hwbtestlog.txt) and find the detailed test results. Now focus on a specific write command (e.g., opcode 30h). During the test, this command (30h) was issued to write to one sector (say S) of the hard disk. Check the (reported) content of the sector S before the test and after the test. Briefly verify whether they are “unchanged.
3) Limitations and Future Plan: (i) In BGSU CS computer lab, for security reasons, machines do not have “boot from CD” option. As a way out, we have used a VM, which is loaded with Federated Testing system. Mostly, this solution worked for our students, except occasional collapse of the VM screen, which we addressed by rebooting the VM (possibly multiple times). (ii) The NIST CFTT exercise on HWB was informative to students and it was easy to do. Most of the students have successfully completed it and also generated an independent report on evaluating a HWB. However, students did not understand/appreciate the detailed evaluation report on specific commands (e.g., opcode 30h) that HWB blocks. We plan to add curricula modules in the next offering to make students familiar with this plus add more lab exercises to experiment with this.
B. Deleted File Recovery (DFR)
A DFR tool attempts to discover data that is not part of any active file on a storage disk, which is helpful in forensic analysis. If the data is recovered in its original form, we may get additional useful information.
1) Pre-course Plan: We mainly focus on incorporating the Active File Identification & Deleted File Recovery Tool Specification [3] in the DF course. The NIST document lists the requirements a DFR tool needs to satisfy. The first, Requirements for Core Features, are those features that should be present in all tools. The second is the Requirements for Optional Features. Core Features include (i) The tool identifying all deleted objects whose entries are accessible in residual metadata. (ii) The tool constructing a recovered object for each such entry. (iii) Each recovered object including all non-allocated data blocks. The NIST document lists two Optional Features, which are active file listing and content estimation of a recovered object.
2) Challenges: NIST only provides a list of specifica- tions/criteria for a DFR tool to meet. However, NIST does not provide sample file system images to evaluate the DFR tool on any of this criterion. We have to design such file system images on our own.
3) Implementation: For the sake of concreteness, below we present details of one sample lab exercise in the DFR module and we also list the tools/supports that are needed to run this lab.
Tools/supports needed: (i) DFR tools in Autopsy/SleuthKit (TSK) suite (ii) file system images in which some of the files are deleted using various tools, representing different scenarios.
A sample lab exercise: We have prepared two FAT images, which contain a few files (some of which were created and deleted). The students are given these images.
In Figure 2, File 1 is aa.txt (containing only char a’s), File 2 is bb.txt (containing only char b’s), File 3 is cc.txt (containing only char c’s) and File 4 is dd.txt (containing only char d’s). First, we created File 1, File 2, and File 3 in a FAT system (Image 1: fat.raw), where each one is of size 1 MB. These 3 files have filled in most of the space in the file system. Then, we deleted File 1 and File 3, and we created File 4 of size about 1.6 MB, which gets fragmented (due to space crunch). In Image 2 (fatDeletedOrOverwritten.raw), see File 4 overwrites whole of File 1 and part of File 3.
The students are assigned the following tasks to evaluate the TSK tool’s performance whereas it attempts to recover the file cc.txt.
Task 1: Use istat command to see the cc.txt meta-data information on fatDeletedOrOverwritten.dd image.
Task 2: Now verify that cc.txt is not completely overwritten by dd.txt.
Task 3: Now try to recover cc.txt file using the icat com- mand
Task 4: Now answer the following. Does TSK tool support NIST CFTT Core Features?
4) Limitations and Future Plan: (i) Thus far, we have only been able to design DFR tool evaluation exercises only for the NTFS and FAT system. There are many other file systems (e.g. ext3, ext4, etc.) to evaluate a DFR tool on. (ii) So far we designed exercises focusing on the “Core Features” of a DFR tool per NIST CFTT. There are many “Optional Features” of
Fig. 2. The FAT images to evaluate the DFR tool: The left image is fat.raw whereas the right image is fatDeletedOrOverwritten.raw.
a DFR tool to experiment on, which we plan to do in the next offering.
C. Mobile Forensics
Forensics professionals frequently need to extract data from mobile phones as part of the investigation.
1) Pre-course Plan: To ensure basic training of digital forensics students, we need to make them aware of the stan- dards related to evaluating a mobile forensics data extraction tool. To cover each standard, we design multiple labs, and include them in the DF curricula.
2) Challenges: NIST only provides a list of specifica- tions/criteria for a mobile forensics tool to meet. However, NIST does not provide sample mobile phone images to eval- uate the forensics tool on any of this criterion. We had to collect such mobile phone images from other sources, such as a NSF-funded digital forensics project at UIUC. We need multiple such phone images in the future to evaluate a mobile forensic tool.
3) Implementation: For the sake of concreteness, below we present details of one sample lab exercise in the mobile forensics module and we also list the tools/supports that are needed to run this lab.
Tools/supports needed: (i) The mobile forensics tool in Magnet Axiom suite, (ii) smart phone images containing sus- picious artifacts (e.g., contacts, call logs, sms, maps, browser history, etc.) representing a real-life criminal investigation case.
A sample lab exercise: The students analyze a mobile phone full image with Magnet Axiom tool suite. We have received the image from UIUC course/material on digital forensics. The tasks are as follows.
Task 1: Get the phone image mob.dd which is a full-image of a smart phone.
Task 2: Open Magnet Axiom Process with credentials.
Task 3: Add Case Details to Magnet Axiom Process while selecting the mob.dd file to analyze
Task 4: Analyze evidence and view all artifact categories. Task 5: Look into the SMS, contacts, call logs, maps and
browser information for the investigation, and build your case. Write a summary of your findings.
4) Limitations and Future Plan: (i) So far we could run mobile forensic tool evaluation exercise only for a particular model of smart phone. In the future, we need to make/collect smart phone images for multiple phone models to expand the domain of evaluation. (ii) So far we designed exercises focusing on the “core criteria” of a mobile forensics tool. There are many “auxiliary criteria” of a mobile forensics tool to experiment on, which we plan to do in the next offering.
In the future, we aim to incorporate NIST standards in additional modules (i.e., beyond the aforementioned three), such as Forensic File Carving, Forensic Media Preparation, Disk Imaging, String Search, Software Write Blocker, and more.
D. Setting up a digital forensics laboratory
So far at BGSU we have been using a make-shift digital forensics lab sharing few desktop machines and other facilities in the regular computer lab. This created many challenges for us who have offered cybersecurity and digital forensics courses recently. However, this experience has made us aware of the precise requirements of a digital forensics lab and a reliable setup. In fact, we have shared our experience with the IT support staff of BGSU; we have worked together to chalk out a physical layout of a digital forensics lab with detailed configuration of desktops, software/hardware tools, computer networking setup (especially due to the requirement of making a digital forensics lab isolated from other part of the network). For instance, we are to extend our academic license from a few digital forensic companies (e.g. Magnet
Axiom, etc.). Moreover, we are to buy more counts of standard hardware (e.g. HWB, etc.). In fact, BGSU has started building a dedicated digital forensics lab since January of 2019 which should be ready in a few months.
IV. EVALUATION OF STUDENTS LEARNING
A. Rationale and Purpose
We set out to understand if students, who enrolled in computer science courses designed to teach computer security and/or digital forensics, would demonstrate higher self-efficacy at the end of the semester, compared to their self-efficacy at the beginning of the semester. Specifically, we hypothesized that students would experience stronger computer science self- efficacy after taking these courses. This expectation was based on the project teams expertise in working with college students enrolled in computer science courses, as well as the current job opportunities for students studying computer science; there is strong market demand for experts in computer security and digital forensics. Thus, we expected that students who are able to learn more about these high-demand topics in the field of computer science would experience increased confidence in their own abilities as computer scientists. We also hypothesized that students enrolled in these courses would not experience increased general academic self-efficacy, given that the focus of the courses was specifically tailored to improving computer security and digital forensics skills, and not general academic skills.
Research Questions: The purpose of this exploratory study was to investigate the following research questions:
1. Is there a statistically significant increase in students general self-efficacy after participating in a semester-long computer security course?
2. Is there a statistically significant increase in students computer science self-efficacy after participating in a semester-long computer security course?
3. After learning about computer security, and NIST stan- dards in particular, what do students think about the importance of standardization?
B. Setting & Population
This study was conducted at a mid-sized public university in the Midwest United States. Participants (n = 20) were undergraduate (n = 16) and graduate (n = 4) students enrolled in two computer science courses during fall 2018. All students enrolled in these courses (n = 23) were invited to participate in our study. Participants were primarily male (99%) and Caucasian (70%).
C. Research Design & Instrumentation
This study employed a single-group pre-test/post-test de- sign. We administered the following measures (pre and post) as part of this study:
1) General self-efficacy: We administered the New General Self-Efficacy Scale [4] at both pre- and post-test online using Qualtrics, the universitys online survey tool. The NGSE is an eight-item questionnaire with response options scored on a 5- point Lickert-type scale from strongly disagree (1) to strongly agree (5). Questions on this measure include items such as: 1) I will be able to achieve most of the goals I have set for myself and 2) When facing difficult tasks, I am certain that I will accomplish them.
2) Computer Science Self-Efficacy: We administered the Self-Efficacy in Learning Computer Science Scale [5] at both pre- and post-test online using Qualtrics, the universitys online survey tool. The SELCSS is an eight-item questionnaire with response options scored on a 7-point Lickert-type scale from strongly disagree (1) to strongly agree (7). Please note: We used a 5-point scale for this measure because in our online questionnaire, the two self-efficacy measures were presented back-to-back. We wanted to make the response options easier for students to read and score. Questions on this measure include items such as: 1) “I believe I will receive and excellent grade in the computer science class” and 2) “I am certain I can understand the most difficult material in the computer science class.”
3) Qualitative Questionnaire for Students Understanding of NIST Standards and Network Security Protocols: This questionnaire was administered to students in the computer security course (n = 20). One of the projects Principal Inves- tigators developed the following questions to probe students understanding and support for standards/standardization:
1. We have learned that a number of Cryptography algo- rithms are made NIST standards. So in your opinion, is it important to standardize those algorithms? And why?
2. We have learned that a number of Network Security protocols are made standards. SO, in your opinion, is it important to standardize those algorithms? And why?
D. Data Analysis
Data analysis for the quantitative data included calculation of means, standard deviations, and t-tests for related samples. Data analysis for the qualitative feedback involved one of the projects principal investigators, along with the projects evaluator, examining student feedback and identifying com- ments that indicate a) whether or not the student agrees that standardization is important, and b) why students believe this to be true.
E. Results
For the quantitative analyses, we observed no change in students general self-efficacy at the end of the semester (see Table I). However, we did observe a positive, statistically significant change in students computer science self-efficacy (see Table II).
For the qualitative analyses focused on Importance of Standards: Students (n = 20) answered questions related to the importance of NIST standards. Student comments related
TABLE I COMPARISON OF COMPUTER SCIENCE STUDENTS’ GENERAL
SELF-EFFICACY PRE TO POST (N = 20).
Instrument Mean SD t p NGSE pretest 1.45 0.51 -0.281 0.780 NGSE posttest 1.50 0.61 Note: NGSE = New General Self Efficacy Scale.
TABLE II COMPARISON OF COMPUTER SCIENCE STUDENTS’ COMPUTER
SELF-EFFICACY PRE TO POST (N = 20).
Instrument Mean SD t p SELCSS pretest 1.65 0.67 -2.305 0.026 SELCSS posttest 2.20 0.83 Note: SELCSS = Self-Efficacy for Learning CS Scale. p < 0.05.
to importance of NIST standards: We share (Table III) ex- cerpts from comments that are typical responses students gave regarding whether (yes, n = 17) and why NIST standards are important. Note: Highlighted text indicates key words demonstrating support for standardization, and understanding of rationale for standards use.
TABLE III EXAMPLES OF STUDENTS’ QUALITATIVE FEEDBACK ON IMPORTANCE OF
NIST STANDARDS (N = 17)
It is important for a cryptographic algorithm to comply with NIST standards mostly because it protects people from attacks. Yes, following a standard ensures all criteria are met. Yes. Having a standardized hard to crack set of cryptography algorithms is very important in order to better regulate and ensure security standards in different systems. Without these algorithms, valuable assets can be at risk, and lazily implemented algorithms can be easily broken in to by attributes It is important to standardize these algorithms sufficient encryption strength is an integral part of cyber security. If these algorithms don’t meet the standard, there is no way of determining their adequacy and reliability, making the system vulnerable to attackers. Note: Three students who responded to these questions either did not believe standards are important, or offered rationale that was not clear and/or correct. Only a few excerpts are offered here due to space limitations.
F. Summary
The research team set out to understand whether teaching students about the use of professional industry standards for computer science might be associated with changes in students self-efficacy as well as students support for the use of these standards. We are encouraged that in spite of our small sample size, we did find positive, and statistically significant, improve- ments in students computer science self-efficacy. Moreover, nearly all students who responded to qualitative questions on the importance of standards indicated that they did support use of the standards as well as a clear rationale for why using standards is important for computer security. Resource con- straints did not allow for recruitment of a matched comparison
group. The project team would like to replicate this study in future semesters with the inclusion of a comparison group of computer science students and a larger sample size overall. We believe results of this study offer support for teaching students enrolled in computer science programs about NIST standards use and implementation.
V. CONCLUSION
The development of a digital forensics specialization pro- gram from scratch was challenging for us at BGSU. Yet it was an enriching experience. In this paper, we have discussed a few of the problems that we encountered. Furthermore, we have incorporated NIST standards in digital forensics curricula to better prepare the future workforce. Deliverables of the our NIST project include a set of lectures and hands- on activities to help students gain specific skills in various aspects of Digital Forensics discipline. The student evaluation data demonstrates effectiveness of delivering the designated knowledge and skills.
ACKNOWLEDGMENT
This work was supported by NIST [grant number #70NANB17H321]; The authors wish to thank the follow- ing graduate students for their work on this project: Shiva Bhusal, Sunil Shrestha, and Thamali Madhushani Adhikari Mudiyanselage.
REFERENCES
[1] Software Quality Group: Computer Forensics Tool Testing Program (CFTT), https://www.nist.gov/itl/ssd/software-quality-
group/computer-forensics-tool-testing-program-cftt
[2] Hardware Write Blocker Device (HWB) Specification (Version 2.0, May 19, 2004), https://www.nist.gov/sites/default/files/documents
/2017/05/09/hwb-v2-post-19-may-04.pdf
[3] Active File Identification Deleted File Recovery Tool Specification (March 24, 2009), https://www.nist.gov/sites/default/files/documents
/2017/05/09/dfr-req-1.1-pd-01.pdf
[4] Chen, G., Gully, S. M., Eden, D. (2004). General self-efficacy and self- esteem: Toward theoretical and empirical distinction between correlated self-evaluations. Journal of Organizational Behavior, 25(3), 375-395. doi:10.1002/job.251
Sankardas Roy Computer Science Department
BGSU Ohio, USA
BGSU Ohio, USA
BGSU Ohio, USA
[email protected]
Abstract—Recently, Bowling Green State University (BGSU) has started to offer a Digital Forensics specialization program for Computer Science undergraduate students. We (the authors of this paper) actively took part in developing and evaluating the curricula for this program. The overarching goal of the specialization program is to build a digital forensics workforce for the state and the nation. Realizing the importance of standards of digital forensics tools in real-life forensic examinations, we made an effort to incorporate lessons on standardization in the curricula. In particular, so far we incorporated National Institute of Standards and Technology (NIST) standards for three digital forensics topics (Hardware Write Blocker, Deleted File Recovery, and Mobile Forensics) in the curricula. We faced many challenges over the journey but also attained some success. In this paper we share our experience to the community. We believe this account may be helpful to others who are about to begin such a journey.
Index Terms—Digital Forensics (DF), curricula development, NIST standards, Computer Forensics Tool Testing (CFTT), Hardware Write Blocker (HWB), Deleted File Recovery (DFR), Smart Phone Forensics.
I. INTRODUCTION
FISMA (Federal Information Security Management Act) 2002 is a US federal law in which the importance of in- formation security was recognized and promoted. Around FISMA, a variety of standards documents are created and disseminated by NIST (National Institute of Standards and Technology) to guide everyday IT activities. Among them, NIST Cybersecurity Framework released in early 2014 has motivated industry to adopt security standards. It is critical that security professionals are prepared with the skill sets needed for tomorrow’s workforce.
Information security and digital forensics are two such areas in which security professionals should be trained. These areas have much in common: the information security covers live prevention of attacks, while digital forensics covers post- mortem mechanisms. Digital forensics is used in government,
*This work was partially supported by the US National Institute of Standards and Technology (NIST) under the grant number #70NANB17H321. Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the above agency.
industry, and law enforcement to help us investigate computer systems and data in order to analyze and present information for criminal cases. Digital forensics also helps in determining how unauthorized users hacked into a system and in gathering related information.
The (Ohio) State Attorney General’s Center for the Future of Forensic Science on the BGSU campus offers forensics science specialization programs in a couple of areas (Biol- ogy, Chemistry, and more). Considering the omnipresence of electronic devices (computer, mobile phones, and the likes) in our daily life, a specialization program in Digital Forensics (DF) would naturally complement other programs in forensics science. The Computer Science (CS) department at BGSU has recently developed a DF specialization program, which was planned to start from the fall semester of 2017. Wu and Roy were actively involved in the planning of the digital forensics curricula and the digital forensics lab from the very beginning.
Wu and Roy have received a NIST award in 2017 Septem- ber, which is about incorporating NIST CFTT (Computer Forensics Tool Testing) standards in BGSU digital forensics curricula. One main goal of the project is to identify the key areas of digital forensics program, which are most important to be standardized, and wherever applicable, to develop lecture slides, case studies and modularized lab (i.e., hands-on activ- ity) materials. The project focuses on three particular digital forensics topics, namely Hardware Write Blocker, Deleted File Recovery, and Mobile Forensics. Lavenia (who is a specialist educator) has joined the project as the evaluator of the developed curricula.
Finally, in 2018 Fall, the BGSU CS department has started offering a Digital Forensics Specialization program for stu- dents with CS major. As part of this program, in 2018 Fall, Roy has taught course CS4320: Computer and Mobile Foren- sics, whereas Wu has taught course CS3320: Introduction to Computer Security. In these courses, Roy and Wu have implemented and used the “standards education” modules mentioned above. Lavenia has designed specialized surveys for students in both the courses to measure students’ self-efficacy. We as a team have also designed surveys to measure students’ advancement in technical knowledge about standards. In sum- mary, the data shows students have made some progress when they completed the courses.978-1-7281-2827-6/19/$31.00 ©2019 IEEE
In this paper we share our experience on the aforementioned front with the community, which may help others who will take a similar endeavor in the future.
II. BACKGROUND
A. Digital Forensics Specialization Program at BGSU
Since Fall of 2018 the BGSU CS department has started dig- ital forensics specialization to fulfill the emerging requirements for Cybersecurity/Digital Forensics experts. The requirements of this specialization include 12 credit hours of courses, which are CS 3210: Introduction to Software Security OR CS 3320:Introduction to Computer Security, CS 4320: Computer and Mobile Forensics, CS 4330: Network Security and Foren- sics, and CRJU 4400: Law, Evidence Procedures in Forensic Science. CS 3210 involves the introduction to software secu- rity and secure programming guidelines, basic security issues of programming languages, C and C++, and secure coding. As entrance courses and prerequisite to the other two DF courses, CS 3320 involves the fundamental knowledge in computer security such as confidentiality, integrity and availability; Basic security mechanisms such as access control, authentication, cryptography and software security; Overview of data logs audit and analysis; Introduction to spyware and malware. CS 4320 introduces computer forensic procedures: identification and collection of potential evidence; reverse engineering; analysis and reporting. Hands-on experience with forensics tools. Forensic mechanisms for mobile devices. Analysis of synthetic and real datasets. CS 4330 provides a comprehensive understanding of network forensics analysis principles, helps students learn to identify network security incidents and po- tential sources of digital evidence and demonstrate the ability to perform basic network data acquisition and analysis using computer-based applications and utilities. CRJU 4400 provides an overview and examination of the legal aspects of physical evidence including rules of evidence, procedural rules, and the role of expert witnesses. Overall, this DF specialization is designed to provide Computer Science students necessary knowledge and tools from both practical Digital Forensics courses and relevant law regulations.
In the meantime we are planning for a Digital Forensics lab. Supported by Arts and Sciences college, Department of Computer Science was given a dedicated lab space and neces- sary equipment to supplement the designed Digital Forensics curricula. The DF lab will have 30 personal computers, nec- essary networking equipment, basic digital forensic hardware, and a set of software tools to fulfill the needs of the designed DF courses.
B. NIST CFTT standards for digital forensics tools
NIST’s CFTT division has set standards for digital forensics tools. The goal of CFTT project is to “establish a methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware.” They expect to provide the interesting information for toolmakers, users, or for any interested parties with various goals [1]. Other than the CFTT downloadable
testing environment, they also provide Computer Forensic Reference Data Sets (CFReDS) as a repository of images for investigation, training, and testing purposes.
Our NIST grant supports us on developing the DF curricula and incorporate NIST DF standards into them, in the form of lecture, hands-on labs and exercises. We will introduce the details of the curricula and evaluation data in the following sections.
III. BUILDING THE DIGITAL FORENSICS CURRICULA
Below we report on our efforts to incorporating standards education in BGSU curricula of cybersecurity and digital forensics. In particular, we have incorporated NIST standards in three modules of the digital forensics curricula as follows.
A. Hardware Write Blocker (HWB)
Typically, HWB works as a bridge between the host com- puter and the storage disk. It prevents “write” commands (which may modify data/evidence) from reaching the storage disk but allows information on the disk to flow to the forensic tool (or the OS) on the host computer.
1) Pre-course Plan: One main goal is to make students familiar with NIST’s Hardware Write Blocker Device (HWB) Specification [2]. This document lists four categories of com- mands (to access a storage device), such as modifying, read, information, and other non-modifying. These commands can originate from the host computer via the BIOS, operating system, file system operations or the forensic tool in use. The minimum requirement for a HWB is to ensure that no modifying command can pass through. It is essential for the students to learn how to evaluate a HWB device conforming to the standards.
2) Implementation: For the sake of concreteness, below we present details of one sample lab exercise in the HWB module and we also list the tools/supports that are needed to run this lab.
Tools/supports needed: (i) NIST CFTT Federated Testing Linux system. This bootable system can be freely downloaded from the CFTT portal.(ii) HWB devices. We bought 9 counts of this device whose price was about 400$ each; (iii) Hard disks. We bought 30 counts of hard disks whose average price was about 30$. (iv) Host computers: We already have regular desktop computers in the labs on which students run the VM using VirtualBox. An example setup of the HWB device (which is under evaluation) is illustrated in Figure 1.
A sample lab exercise: The students are assigned the following tasks (derived from Federated Testing instructions).
Task 1: Use the Federated Testing ISO file to start a VM on VirtualBox on a desktop computer.
Task 2: On the welcome page of Federated Testing Forensic Tool Testing Environment, click on “Test a hardware write block tool”. Then, walk over the following steps to test a HWB. (a) Go to “Hardware Write Block Home” page and click on “ Get Started”. (b) Insert one flash drive to computer which you will use as Log Drive for this test. (c) Follow the instruction to mount the Log Drive. (d) Go to “Generate test
Fig. 1. The lab setup: The HWB device (which is under evaluation) is placed in the middle of the hard disk (which is under protection) and the host computer (running NIST CFTT Federated Testing System).
cases and start testing”. (e) Select a hardware write block type. Choose the “hard drive” option. (f) Describe the write blocker. Put in detailed information on manufacturer and model name, and so on. Select the drive type as SATA. Choose USB3 as the type of connection between test computer and HWB. (g) Select the FT-HWB-SATA option and ‘Run test case’. Get results. (h) Generate a test report; a test report copy will be written in the Log Drive. (i) Open the test report in a Windows computer, and copy the content of the report to a new word document. (j) Go to the log file in the Log Drive (something like hwbtestlog.txt) and find the detailed test results. Now focus on a specific write command (e.g., opcode 30h). During the test, this command (30h) was issued to write to one sector (say S) of the hard disk. Check the (reported) content of the sector S before the test and after the test. Briefly verify whether they are “unchanged.
3) Limitations and Future Plan: (i) In BGSU CS computer lab, for security reasons, machines do not have “boot from CD” option. As a way out, we have used a VM, which is loaded with Federated Testing system. Mostly, this solution worked for our students, except occasional collapse of the VM screen, which we addressed by rebooting the VM (possibly multiple times). (ii) The NIST CFTT exercise on HWB was informative to students and it was easy to do. Most of the students have successfully completed it and also generated an independent report on evaluating a HWB. However, students did not understand/appreciate the detailed evaluation report on specific commands (e.g., opcode 30h) that HWB blocks. We plan to add curricula modules in the next offering to make students familiar with this plus add more lab exercises to experiment with this.
B. Deleted File Recovery (DFR)
A DFR tool attempts to discover data that is not part of any active file on a storage disk, which is helpful in forensic analysis. If the data is recovered in its original form, we may get additional useful information.
1) Pre-course Plan: We mainly focus on incorporating the Active File Identification & Deleted File Recovery Tool Specification [3] in the DF course. The NIST document lists the requirements a DFR tool needs to satisfy. The first, Requirements for Core Features, are those features that should be present in all tools. The second is the Requirements for Optional Features. Core Features include (i) The tool identifying all deleted objects whose entries are accessible in residual metadata. (ii) The tool constructing a recovered object for each such entry. (iii) Each recovered object including all non-allocated data blocks. The NIST document lists two Optional Features, which are active file listing and content estimation of a recovered object.
2) Challenges: NIST only provides a list of specifica- tions/criteria for a DFR tool to meet. However, NIST does not provide sample file system images to evaluate the DFR tool on any of this criterion. We have to design such file system images on our own.
3) Implementation: For the sake of concreteness, below we present details of one sample lab exercise in the DFR module and we also list the tools/supports that are needed to run this lab.
Tools/supports needed: (i) DFR tools in Autopsy/SleuthKit (TSK) suite (ii) file system images in which some of the files are deleted using various tools, representing different scenarios.
A sample lab exercise: We have prepared two FAT images, which contain a few files (some of which were created and deleted). The students are given these images.
In Figure 2, File 1 is aa.txt (containing only char a’s), File 2 is bb.txt (containing only char b’s), File 3 is cc.txt (containing only char c’s) and File 4 is dd.txt (containing only char d’s). First, we created File 1, File 2, and File 3 in a FAT system (Image 1: fat.raw), where each one is of size 1 MB. These 3 files have filled in most of the space in the file system. Then, we deleted File 1 and File 3, and we created File 4 of size about 1.6 MB, which gets fragmented (due to space crunch). In Image 2 (fatDeletedOrOverwritten.raw), see File 4 overwrites whole of File 1 and part of File 3.
The students are assigned the following tasks to evaluate the TSK tool’s performance whereas it attempts to recover the file cc.txt.
Task 1: Use istat command to see the cc.txt meta-data information on fatDeletedOrOverwritten.dd image.
Task 2: Now verify that cc.txt is not completely overwritten by dd.txt.
Task 3: Now try to recover cc.txt file using the icat com- mand
Task 4: Now answer the following. Does TSK tool support NIST CFTT Core Features?
4) Limitations and Future Plan: (i) Thus far, we have only been able to design DFR tool evaluation exercises only for the NTFS and FAT system. There are many other file systems (e.g. ext3, ext4, etc.) to evaluate a DFR tool on. (ii) So far we designed exercises focusing on the “Core Features” of a DFR tool per NIST CFTT. There are many “Optional Features” of
Fig. 2. The FAT images to evaluate the DFR tool: The left image is fat.raw whereas the right image is fatDeletedOrOverwritten.raw.
a DFR tool to experiment on, which we plan to do in the next offering.
C. Mobile Forensics
Forensics professionals frequently need to extract data from mobile phones as part of the investigation.
1) Pre-course Plan: To ensure basic training of digital forensics students, we need to make them aware of the stan- dards related to evaluating a mobile forensics data extraction tool. To cover each standard, we design multiple labs, and include them in the DF curricula.
2) Challenges: NIST only provides a list of specifica- tions/criteria for a mobile forensics tool to meet. However, NIST does not provide sample mobile phone images to eval- uate the forensics tool on any of this criterion. We had to collect such mobile phone images from other sources, such as a NSF-funded digital forensics project at UIUC. We need multiple such phone images in the future to evaluate a mobile forensic tool.
3) Implementation: For the sake of concreteness, below we present details of one sample lab exercise in the mobile forensics module and we also list the tools/supports that are needed to run this lab.
Tools/supports needed: (i) The mobile forensics tool in Magnet Axiom suite, (ii) smart phone images containing sus- picious artifacts (e.g., contacts, call logs, sms, maps, browser history, etc.) representing a real-life criminal investigation case.
A sample lab exercise: The students analyze a mobile phone full image with Magnet Axiom tool suite. We have received the image from UIUC course/material on digital forensics. The tasks are as follows.
Task 1: Get the phone image mob.dd which is a full-image of a smart phone.
Task 2: Open Magnet Axiom Process with credentials.
Task 3: Add Case Details to Magnet Axiom Process while selecting the mob.dd file to analyze
Task 4: Analyze evidence and view all artifact categories. Task 5: Look into the SMS, contacts, call logs, maps and
browser information for the investigation, and build your case. Write a summary of your findings.
4) Limitations and Future Plan: (i) So far we could run mobile forensic tool evaluation exercise only for a particular model of smart phone. In the future, we need to make/collect smart phone images for multiple phone models to expand the domain of evaluation. (ii) So far we designed exercises focusing on the “core criteria” of a mobile forensics tool. There are many “auxiliary criteria” of a mobile forensics tool to experiment on, which we plan to do in the next offering.
In the future, we aim to incorporate NIST standards in additional modules (i.e., beyond the aforementioned three), such as Forensic File Carving, Forensic Media Preparation, Disk Imaging, String Search, Software Write Blocker, and more.
D. Setting up a digital forensics laboratory
So far at BGSU we have been using a make-shift digital forensics lab sharing few desktop machines and other facilities in the regular computer lab. This created many challenges for us who have offered cybersecurity and digital forensics courses recently. However, this experience has made us aware of the precise requirements of a digital forensics lab and a reliable setup. In fact, we have shared our experience with the IT support staff of BGSU; we have worked together to chalk out a physical layout of a digital forensics lab with detailed configuration of desktops, software/hardware tools, computer networking setup (especially due to the requirement of making a digital forensics lab isolated from other part of the network). For instance, we are to extend our academic license from a few digital forensic companies (e.g. Magnet
Axiom, etc.). Moreover, we are to buy more counts of standard hardware (e.g. HWB, etc.). In fact, BGSU has started building a dedicated digital forensics lab since January of 2019 which should be ready in a few months.
IV. EVALUATION OF STUDENTS LEARNING
A. Rationale and Purpose
We set out to understand if students, who enrolled in computer science courses designed to teach computer security and/or digital forensics, would demonstrate higher self-efficacy at the end of the semester, compared to their self-efficacy at the beginning of the semester. Specifically, we hypothesized that students would experience stronger computer science self- efficacy after taking these courses. This expectation was based on the project teams expertise in working with college students enrolled in computer science courses, as well as the current job opportunities for students studying computer science; there is strong market demand for experts in computer security and digital forensics. Thus, we expected that students who are able to learn more about these high-demand topics in the field of computer science would experience increased confidence in their own abilities as computer scientists. We also hypothesized that students enrolled in these courses would not experience increased general academic self-efficacy, given that the focus of the courses was specifically tailored to improving computer security and digital forensics skills, and not general academic skills.
Research Questions: The purpose of this exploratory study was to investigate the following research questions:
1. Is there a statistically significant increase in students general self-efficacy after participating in a semester-long computer security course?
2. Is there a statistically significant increase in students computer science self-efficacy after participating in a semester-long computer security course?
3. After learning about computer security, and NIST stan- dards in particular, what do students think about the importance of standardization?
B. Setting & Population
This study was conducted at a mid-sized public university in the Midwest United States. Participants (n = 20) were undergraduate (n = 16) and graduate (n = 4) students enrolled in two computer science courses during fall 2018. All students enrolled in these courses (n = 23) were invited to participate in our study. Participants were primarily male (99%) and Caucasian (70%).
C. Research Design & Instrumentation
This study employed a single-group pre-test/post-test de- sign. We administered the following measures (pre and post) as part of this study:
1) General self-efficacy: We administered the New General Self-Efficacy Scale [4] at both pre- and post-test online using Qualtrics, the universitys online survey tool. The NGSE is an eight-item questionnaire with response options scored on a 5- point Lickert-type scale from strongly disagree (1) to strongly agree (5). Questions on this measure include items such as: 1) I will be able to achieve most of the goals I have set for myself and 2) When facing difficult tasks, I am certain that I will accomplish them.
2) Computer Science Self-Efficacy: We administered the Self-Efficacy in Learning Computer Science Scale [5] at both pre- and post-test online using Qualtrics, the universitys online survey tool. The SELCSS is an eight-item questionnaire with response options scored on a 7-point Lickert-type scale from strongly disagree (1) to strongly agree (7). Please note: We used a 5-point scale for this measure because in our online questionnaire, the two self-efficacy measures were presented back-to-back. We wanted to make the response options easier for students to read and score. Questions on this measure include items such as: 1) “I believe I will receive and excellent grade in the computer science class” and 2) “I am certain I can understand the most difficult material in the computer science class.”
3) Qualitative Questionnaire for Students Understanding of NIST Standards and Network Security Protocols: This questionnaire was administered to students in the computer security course (n = 20). One of the projects Principal Inves- tigators developed the following questions to probe students understanding and support for standards/standardization:
1. We have learned that a number of Cryptography algo- rithms are made NIST standards. So in your opinion, is it important to standardize those algorithms? And why?
2. We have learned that a number of Network Security protocols are made standards. SO, in your opinion, is it important to standardize those algorithms? And why?
D. Data Analysis
Data analysis for the quantitative data included calculation of means, standard deviations, and t-tests for related samples. Data analysis for the qualitative feedback involved one of the projects principal investigators, along with the projects evaluator, examining student feedback and identifying com- ments that indicate a) whether or not the student agrees that standardization is important, and b) why students believe this to be true.
E. Results
For the quantitative analyses, we observed no change in students general self-efficacy at the end of the semester (see Table I). However, we did observe a positive, statistically significant change in students computer science self-efficacy (see Table II).
For the qualitative analyses focused on Importance of Standards: Students (n = 20) answered questions related to the importance of NIST standards. Student comments related
TABLE I COMPARISON OF COMPUTER SCIENCE STUDENTS’ GENERAL
SELF-EFFICACY PRE TO POST (N = 20).
Instrument Mean SD t p NGSE pretest 1.45 0.51 -0.281 0.780 NGSE posttest 1.50 0.61 Note: NGSE = New General Self Efficacy Scale.
TABLE II COMPARISON OF COMPUTER SCIENCE STUDENTS’ COMPUTER
SELF-EFFICACY PRE TO POST (N = 20).
Instrument Mean SD t p SELCSS pretest 1.65 0.67 -2.305 0.026 SELCSS posttest 2.20 0.83 Note: SELCSS = Self-Efficacy for Learning CS Scale. p < 0.05.
to importance of NIST standards: We share (Table III) ex- cerpts from comments that are typical responses students gave regarding whether (yes, n = 17) and why NIST standards are important. Note: Highlighted text indicates key words demonstrating support for standardization, and understanding of rationale for standards use.
TABLE III EXAMPLES OF STUDENTS’ QUALITATIVE FEEDBACK ON IMPORTANCE OF
NIST STANDARDS (N = 17)
It is important for a cryptographic algorithm to comply with NIST standards mostly because it protects people from attacks. Yes, following a standard ensures all criteria are met. Yes. Having a standardized hard to crack set of cryptography algorithms is very important in order to better regulate and ensure security standards in different systems. Without these algorithms, valuable assets can be at risk, and lazily implemented algorithms can be easily broken in to by attributes It is important to standardize these algorithms sufficient encryption strength is an integral part of cyber security. If these algorithms don’t meet the standard, there is no way of determining their adequacy and reliability, making the system vulnerable to attackers. Note: Three students who responded to these questions either did not believe standards are important, or offered rationale that was not clear and/or correct. Only a few excerpts are offered here due to space limitations.
F. Summary
The research team set out to understand whether teaching students about the use of professional industry standards for computer science might be associated with changes in students self-efficacy as well as students support for the use of these standards. We are encouraged that in spite of our small sample size, we did find positive, and statistically significant, improve- ments in students computer science self-efficacy. Moreover, nearly all students who responded to qualitative questions on the importance of standards indicated that they did support use of the standards as well as a clear rationale for why using standards is important for computer security. Resource con- straints did not allow for recruitment of a matched comparison
group. The project team would like to replicate this study in future semesters with the inclusion of a comparison group of computer science students and a larger sample size overall. We believe results of this study offer support for teaching students enrolled in computer science programs about NIST standards use and implementation.
V. CONCLUSION
The development of a digital forensics specialization pro- gram from scratch was challenging for us at BGSU. Yet it was an enriching experience. In this paper, we have discussed a few of the problems that we encountered. Furthermore, we have incorporated NIST standards in digital forensics curricula to better prepare the future workforce. Deliverables of the our NIST project include a set of lectures and hands- on activities to help students gain specific skills in various aspects of Digital Forensics discipline. The student evaluation data demonstrates effectiveness of delivering the designated knowledge and skills.
ACKNOWLEDGMENT
This work was supported by NIST [grant number #70NANB17H321]; The authors wish to thank the follow- ing graduate students for their work on this project: Shiva Bhusal, Sunil Shrestha, and Thamali Madhushani Adhikari Mudiyanselage.
REFERENCES
[1] Software Quality Group: Computer Forensics Tool Testing Program (CFTT), https://www.nist.gov/itl/ssd/software-quality-
group/computer-forensics-tool-testing-program-cftt
[2] Hardware Write Blocker Device (HWB) Specification (Version 2.0, May 19, 2004), https://www.nist.gov/sites/default/files/documents
/2017/05/09/hwb-v2-post-19-may-04.pdf
[3] Active File Identification Deleted File Recovery Tool Specification (March 24, 2009), https://www.nist.gov/sites/default/files/documents
/2017/05/09/dfr-req-1.1-pd-01.pdf
[4] Chen, G., Gully, S. M., Eden, D. (2004). General self-efficacy and self- esteem: Toward theoretical and empirical distinction between correlated self-evaluations. Journal of Organizational Behavior, 25(3), 375-395. doi:10.1002/job.251
Related Documents
